b'               OFFICE OF\n               INSPECTOR\n               GENERAL\n               UNITED STATES POSTAL SERVICE\n\n\n\n\n                  Fiscal Year 2013\n              Information Technology\n                  Internal Controls\n\n                        Audit Report\n\n\n\n\n                                              March 26, 2014\n\nReport Number IT-AR-14-003\n\x0c                                                                        March 26, 2014\n\n                                                        Fiscal Year 2013 Information\n                                                       Technology Internal Controls\n\n                                                         Report Number IT-AR-14-003\n\n\n\nBACKGROUND:\nThe Postal Accountability and               strengthen administrator access controls\nEnhancement Act of 2006 requires the        for workload scheduling software.\nU.S. Postal Service to comply with the\nSarbanes-Oxley Act and make an              Management also took corrective action\nassertion on the effectiveness of the       to address eight additional issues\ninternal control structure over financial   identified during our audit. We also\nreporting. We conducted this audit in       confirmed management took corrective\nsupport of the independent public           actions to address 15 prior year issues\naccounting firm\xe2\x80\x99s overall audit opinions    and is currently remediating 12 other\non the Postal Service\xe2\x80\x99s financial           issues reported during fiscal years 2010\nstatements and internal controls over       through 2012.\nfinancial reporting.\n                                            We discussed related causes and\nThe Information Technology                  recommended actions to improve the\nsystem-level environment includes           control environments. The control\nprocesses needed to administer,             weaknesses identified, alone or\nsecure, and monitor key financial           collectively, do not prevent reliance on\nsystems. Our objective was to evaluate      system-level internal controls for\nand test key system-level internal          accurate and timely financial reporting.\ncontrols over information systems.\n                                            Corrective actions can reduce the risk of\nWHAT THE OIG FOUND:                         a compromise that could harm the\nThe system-level internal controls we       confidentiality, integrity, and availability\ntested were properly designed and           of information resources.\ngenerally operating effectively. For\nexample, database software controls         WHAT THE OIG RECOMMENDED:\nfunctioned properly when we tested          We recommended management ensure\npassword security settings and updates.\nHowever, we identified opportunities to     administrators follow job control policies\nstrengthen certain controls, which would    and implement a job scheduling\nreduce the risk information technology      procedure. We also recommended\nresources would be compromised.             management properly document\nSpecifically, these improvements would      changes to computer command lists and\nhelp control owners better manage           require a password expiration setting for\nchange management policies and job          the workload automation software.\nscheduling procedures for the\n                                     and    Link to review the entire report\n\x0cMarch 26, 2014\n\nMEMORANDUM FOR:            JOHN T. EDGAR\n                           VICE PRESIDENT, INFORMATION TECHNOLOGY\n\n\n\n\nFROM:                      John E. Cihota\n                           Deputy Assistant Inspector General\n                            for Financial and Systems Accountability\n\nSUBJECT:                   Audit Report \xe2\x80\x93 Fiscal Year 2013 Information\n                           Technology Internal Controls\n                           (Report Number IT-AR-14-003)\n\nThis report presents the results of our audit of Fiscal Year 2013 Information Technology\nInternal Controls (Project Number 13BM007IT000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Sean D. Balduff, acting\ndirector, Information Technology, or me at 703-248-2100.\n\nAttachment\n\ncc: Julie S. Moore\n    Corporate Audit and Response Management\n\x0cFiscal Year 2013 Information Technology                                                                             IT-AR-14-003\n Internal Controls\n\n\n\n                                               TABLE OF CONTENTS\n\nIntroduction ..................................................................................................................... 1\n\nConclusion ...................................................................................................................... 1\n\nThree Open Fiscal Year 2013 Information Technology Issues........................................ 2\n\nCorrective Actions Taken for Eight Fiscal Year 2013 Issues ........................................... 4\n\nStatus of Open Information Technology Issues Reported in Prior Years ........................ 5\n\nRecommendations .......................................................................................................... 5\n\nManagement\xe2\x80\x99s Comments .............................................................................................. 6\n\nEvaluation of Management\xe2\x80\x99s Comments ......................................................................... 6\n\nAppendix A: Additional Information ................................................................................. 7\n\nAppendix A: Additional Information ................................................................................. 7\n\n   Background ................................................................................................................. 7\n\n   Objective, Scope, and Methodology ............................................................................ 9\n\n   Prior Audit Coverage ................................................................................................. 11\n\nAppendix B: Open Fiscal Year 2013 Information Technology Issues ............................ 13\n\nAppendix C: Closed Information Technology Issues Reported in Prior Years............... 14\n\nAppendix D: Status of Open Information Technology Issues Reported in Prior Years . 17\n\nAppendix E: Trademark Information .............................................................................. 22\n\nAppendix F: Management\xe2\x80\x99s Comments ........................................................................ 23\n\x0cFiscal Year 2013 Information Technology                                                                    IT-AR-14-003\n Internal Controls\n\n\n\nIntroduction\n\nThis report presents the results of our audit of Fiscal Year (FY) 2013 Information\nTechnology (IT) Internal Controls (Project Number 13BM007IT000). We conducted this\nself-initiated audit in support of the independent public accounting (IPA) firm\xe2\x80\x99s overall\naudit opinions on the U.S. Postal Service\xe2\x80\x99s financial statements and internal controls\nover financial reporting. 1 Our objective was to evaluate and test key infrastructure-level\ninternal controls over information systems at Postal Service IT and Accounting Service\nCenters (IT/ASCs) and related IT organizations. 2 During the audit, we met regularly with\nthe IPA firm and Postal Service representatives to report and discuss gaps in controls,\ninitial test results, and control deficiencies. 3 See Appendix A for additional information\nabout this audit and a description of the IT process areas we reviewed.\n\nThe Postal Reorganization Act of 1970, as amended, requires annual audits of the\nPostal Service\xe2\x80\x99s financial statements. Additionally, SOX was enacted in 2002 to\nstrengthen public confidence in the accuracy and reliability of financial reporting.\nSection 404 of SOX requires management to state its responsibility for establishing and\nmaintaining an adequate internal control structure. That section also directs\nmanagement to make an assertion on the effectiveness of the internal control structure\nover financial reporting. The Postal Accountability and Enhancement Act of 2006\nrequired the Postal Service to begin complying with SOX Section 404 in FY 2010. The\nBoard of Governors contracted with the IPA firm to express opinions on the Postal\nService\xe2\x80\x99s financial statements and internal controls over financial reporting.\n\nConclusion\n\nThe infrastructure-level internal controls we tested were properly designed and\ngenerally operating effectively. For example, database software controls functioned\nproperly when we tested the password security settings and update process. However,\nwe identified opportunities to strengthen certain controls that would reduce the risk that\ninformation resources would be compromised. 4\n\n\n\n\n1\n  The IPA firm maintains overall responsibility for testing and reviewing all IT controls. The U.S. Postal Service Office\nof Inspector General (OIG) coordinated audit work with the IPA firm to ensure adequate coverage.\n2\n  Infrastructure-level controls are system controls consisting of processes for managing specific system resources\nrelated to either a general support system or a Sarbanes-Oxley Act (SOX) application.\n3\n  A control deficiency exists when the design or operation of a control does not allow management, in the normal\ncourse of performing its assigned functions, to prevent or detect and correct misstatements timely.\n4\n  Information resources are all Postal Service information assets, including information systems, hardware, software,\ndata, applications, telecommunications networks, computer-controlled mail processing equipment, and related\nresources and the information they contain.\n                                                             1\n                                                 Restricted Information\n\x0cFiscal Year 2013 Information Technology                                                                 IT-AR-14-003\n Internal Controls\n\n\nSpecifically, these improvements would help control owners better manage change\nmanagement policies and job scheduling procedures for the\n                   application and strengthen\n                                             Management also took corrective action to\naddress eight additional issues identified during the audit. We also confirmed\nmanagement took corrective actions to address 15 prior year issues and is currently\nremediating 12 other issues reported during FYs 2010 through 2012. See Appendix C\nfor a summary of the corrective actions.\n\nWe reported these control deficiencies in detail to management during our audit,\ndiscussed related causes, and recommended actions to improve the control\nenvironments. The control weaknesses identified in prior fiscal years and in FY 2013,\nalone or collectively, do not prevent reliance on internal controls for the accuracy and\ntimeliness of financial reporting. Corrective actions can reduce the risk of a compromise\nthat could harm the confidentiality, integrity, and availability of information resources;\nand preserve customer confidence in the Postal Service brand.\n\nThree Open Fiscal Year 2013 Information Technology Issues\n\nWhile testing assigned infrastructure-level controls in FY 2013, the OIG reported three\nnew control deficiencies and process improvements to management and recommended\ncorrective actions. The IT Compliance Management Office (CMO) tracks each of the\nissues on the Gap Evaluation Tracker (GET) for deficiencies. 8\n\n\n\n\n  An administrator account provides full access to a computer\'s files and folders. Administrator access is mandatory\nfor completing many tasks, such as some software installation or certain system maintenance and management.\n7\n  An automated scheduling and processing program supporting distributed platforms. The enterprise manager\nprovides a one-stop monitoring view for all jobs.\n8\n  Management uses the GET to track business and IT SOX-related issues. Each issue is assigned a unique number\ncontaining the current fiscal year. In addition, the IT SOX CMO maintains records of less significant issues (known as\nprocess improvements) the GET does not report.\n\n\n                                                          2\n\x0cFiscal Year 2013 Information Technology                                                               IT-AR-14-003\n Internal Controls\n\n\nAs of December 16, 2013, management had open issues requiring corrective action in\nthe following areas:\n\n     1. Administrator personnel 9 did not always follow change management policies.\n        Specifically, administrators did not follow the formal version control policy 10 for\n        modifications to the Visual Basic Script (VBScript) 11 used to monitor the critical\n                CA Workload Automation AE 12 scheduled jobs. Instead, administrators\n        achieved versioning by saving the name of the script prior to making major\n        changes. 13\n\n     2. A job scheduling procedure that documents critical jobs does not exist as\n        required. 14 This occurred because previous management did not develop a\n        scheduling procedure and current management was not aware of the requirement.\n\n     3. The password expiration setting for a            administrator was set to 90, rather\n        than 30, days. 15 Management changed the expiration setting back to 30 days after\n        we raised the issue. However, future occurrences may not be detected because the\n        IT master control states Postal Service internal reviewers obtain evidence 16 of\n        password settings from            administrators. These administrators could alter\n        the password settings before or after providing evidence to the reviewers. Internal\n        reviewers could use the           tool to directly review current password settings\n        instead of requesting the evidence from the administrators.\n\nBy continuing to improve controls in these areas, management can reduce the risk of a\nsecurity compromise and increase the likelihood of timely detection to protect the\nconfidentiality, integrity, and availability of information resources and data. See\nAppendix B for additional details related to each of the issues identified in FY 2013.\n\n\n\n\n9\n  Employees and contractors who work at the                                                             (ITSC).\n10\n   Postal Service Handbook AS-805, Information Security, Section                                        , May 2013.\n11\n   VBScript enables administrators to manage desktop settings and applications.\n12\n   CA Workload Automation AE is designed to deliver broad-based multiplatform facilities for dynamic service\nmanagement, event- and policy-driven workload scheduling, resource allocation, automation, and business process\noptimization. This tool also provides real-time or "on-demand" responses to events, in accordance with business\npriorities or other policy-based service requirements.\n13\n   The                                      team saves script names prior to making major changes in the following\nformat: ChkOne_YYYYMMDD.vbs.\n14\n   The            Job Monitoring procedure requires that the \xe2\x80\x9c      CA-Autosys \xe2\x80\x93 Job Scheduling Procedure\xe2\x80\x9d exist for\nlisting critical batch jobs and corresponding           processes and be stored on site by the\n                   team.\n   Handbook AS-805, Section                                    .\n16\n   The first test step in the control \xe2\x80\x9c       _PW_Parm_Config\xe2\x80\x9d recommends the reviewer obtain a screenshot of the\n\xe2\x80\x9cSystem Parameters\xe2\x80\x9d from the               system administrator.\n\n\n                                                         3\n\x0cFiscal Year 2013 Information Technology                                                                       IT-AR-14-003\n Internal Controls\n\n\nCorrective Actions Taken for Eight Fiscal Year 2013 Issues\n\nManagement took corrective action 17 to address the following eight issues we identified\nduring our FY 2013 audit:\n\n1. Migrate the existing Systems Applications and Products 18\n                             application 19 from the Advanced Interactive eXecutive\n   (AIX) operating system to the            operating system.\n                                                                                                 22\n2. Modify security privileges for an                                                                  developers\n   group to prevent its access to the production environment.\n\n3. Restrict access to mainframe security datasets from \xe2\x80\x9cwrite\xe2\x80\x9d to \xe2\x80\x9cread only\xe2\x80\x9d for nine\n                              users.\n\n4. Modify a mainframe operating system parameter library 23 to include appropriate\n   corresponding comment lines and change request numbers.\n\n5. Ensure records of monthly mainframe software reviews are placed in an artifact\n   email account. 24\n\n6. Upload quarterly badge access review documentation to the artifact library. 25\n\n7. Monitor the email artifact account to verify that all managers have replied to badge\n   access review requests.\n                                                                                                         26\n8. Correct the list of                                                                                        users who\n   have administrative access to perimeter firewall appliances.\n\n17\n   Management initiated and completed these corrective actions during our audit; therefore, they did not require the IT\nCMO\xe2\x80\x99s participation in the corrective action process.\n18\n   The original name for the acronym, SAP, was: \xe2\x80\x9cSysteme, Anwendungen, Produkte,\xe2\x80\x9d meaning Systems Applications\nand Products (in German).\n19\n   An enterprise-wide application used to process and manage general personnel records (for example, Postal\nService Form 1727, Award Recommendation/Authorization [Quality Step Increase]).\n20\n   The original            platform consisted of the International Business Machine (IBM) Mainframe version z10\nz/OS/DB2 system and xLinux/AIX applications. DB2 is IBM\xe2\x80\x99s relational database management system and a formal\nsubsystem of the z/OS mainframe operating system.\n21\n   The\n\n\n\n\n   The parameter files are part of z/OS, the operating system for Postal Service mainframes, produced by IBM.\n24\n   As part of the SOX software review (patching) procedures, centralized email accounts (folders/distribution lists)\nwere established in Outlook to archive vendor notifications regarding various software updates. Specifically, on a\nsemiannual basis, the                                      \xe2\x80\x93 under the                                    manager should\nreview an email account called, \xe2\x80\x9c       SOX Artifact           \xe2\x80\x9d This email account serves as an archive for an evaluation\nby support team members, to determine whether               team members should implement the recommended software\nupdates before the next standard maintenance cycle.\n25\n   Also known as the                         , the artifact library serves as the repository for SOX and non-SOX related\nIT procedures and it contains all artifacts that are not posted in the technology solutions life cycle library.\n\n\n                                                             4\n\x0cFiscal Year 2013 Information Technology                                                                    IT-AR-14-003\n Internal Controls\n\n\n\nStatus of Open Information Technology Issues Reported in Prior Years\n\nDuring our control tests in FY 2013, we reviewed the status of any prior year open\nissues for which management took or completed corrective action. We found the\ncorrective actions addressed several of these issues and concurred with management\xe2\x80\x99s\nrequests to close them. The OIG confirmed that the CMO took corrective action to close\n15 issues identified in earlier reports (see Appendix C for specific actions taken).\nLikewise, the CMO began remediation efforts on 12 open issues (see Appendix D for\ndetails regarding the remediation efforts on these issues). Table 1 summarizes the\nstatus of corrective actions taken this year on prior years\xe2\x80\x99 issues.\n\n                 Table 1: Summary of Corrective Actions Taken in FY 2013\n\n                                                        Total Number of Issues\n                                                                                              Total Number\n                                                       Identified by Fiscal Year\n                                                                                               of Issues by\n                      Status                        FY 2010       FY 2011      FY 2012          Category\n     Remediation in Progress                               1           6             5                12\n     Issue Closed With Confirmation                        1           2            12                15\n     From the OIG\n     Total                                                 2           8            17                27\n\nRecommendations\n\nWe recommend the vice president, Information Technology, direct the Information\nTechnology Compliance Management Office, in coordination with the manager,\n                                  , to:\n\n1. Reiterate to                                     administrators to follow control\n   policies in managing critical jobs and script versions.\n\n2. Implement a job scheduling procedure for the                                                                  that\n   documents critical jobs.\n\nWe recommend the vice president, Information Technology:\n\n3. Direct the Information Technology Compliance Management Office to require Postal\n   Service internal reviewers to use the                           tool to directly\n   obtain evidence of password settings.\n\n\n\n26\n   Commonly used to provide centralized authentication, authorization, and accounting for dial-up, virtual private\nnetwork, and, more recently, wireless network access.\n27\n   The Postal Service maintains perimeter firewalls as a technical, preventive control that limits access and services\nbetween networks by accepting or blocking network traffic according to security policy.\n\n\n                                                           5\n\x0cFiscal Year 2013 Information Technology                                      IT-AR-14-003\n Internal Controls\n\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with each of our findings and recommendations and will develop\ndetailed corrective actions in coordination with the particular control owners and in\nconsideration of the OIG\xe2\x80\x99s recommendations. Based on a subsequent discussion, the IT\nCMO plans to review specific corrective actions with the OIG for concurrence and will\ntrack the actions to completion. Management plans to complete corrective actions for all\nthree recommendations by June 30, 2014.\n\nSee Appendix F for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\nthe planned actions should resolve the issues identified in the report.\n\nThe OIG considers all recommendations significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. These recommendations should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendations can be closed.\n\n\n\n\n                                           6\n\x0cFiscal Year 2013 Information Technology                                                                   IT-AR-14-003\n Internal Controls\n\n\n                                  Appendix A: Additional Information\n\nBackground\n\nThe Postal Service\xe2\x80\x99s SOX and Process Improvement Office established the IT SOX\nCMO to manage annual documentation, testing, remediation, reporting, and certification\nrequirements for meeting and maintaining IT SOX compliance. The IT SOX CMO is\nresponsible for developing and implementing internal IT SOX master controls, 28\nincluding both general computer and application-specific controls. The\n                                 IT/ASCs provide computer processing and accounting\nservices for the Postal Service. The                  ITSC provides infrastructure services\nfor nearly 32,000 Postal Service locations. Each site includes multiple service\norganizations that deploy and support systems and applications; provide accounting\nand finance activities; and perform application development, enhancement, and system\nmaintenance that enable the Postal Service to achieve its business objectives. These\norganizations currently support      financial 29 applications and   IT-related applications\nor infrastructure components relevant to SOX Section 404 compliance. 30\n\nThe IT infrastructure environment consists of six process areas:\n\n\xef\x82\xa7    Operating System.\n\xef\x82\xa7    Database.\n\xef\x82\xa7    Infrastructure.\n\xef\x82\xa7    Operations.\n\xef\x82\xa7    Application-Unique.\n\xef\x82\xa7    Company-wide.\n\nFor FY 2013 reporting, we were responsible for testing                         IT infrastructure components\nwithin the six process areas shown in Table 2.\n\n\n\n\n28\n   A uniquely named control designed to mitigate risks associated with the infrastructure (for example, database,\noperating system, and so forth) supporting in-scope financial applications. Master controls are either general in nature\n(such as addressing                         security parameters) or application-unique (tailored specifically for the\naccounting reporting application).\n29\n   The IT SOX CMO considers these significant business applications supporting an in-scope business process.\n30\n   The IT SOX CMO determined these IT systems have a comprehensive impact on the IT control environment or are\nrelied on by in-scope applications for coverage of controls.\n\n\n                                                           7\n\x0cFiscal Year 2013 Information Technology                                                                         IT-AR-14-003\n Internal Controls\n\n\n\n                                 Table 2: IT Infrastructure Process Area\n\nIT Process Area              Description\n                             This area is composed of the three types of operating systems\n                             that support financial and IT-related applications. They include\nOperating System             z/OS \xe2\x80\x94 which functions in a mainframe environment \xe2\x80\x94             ,\n                             and            . The                includes multiple subtypes,\n                             including Solaris,          and AIX.\n                             This area encompasses the numerous database structures\n                             that support either financial or infrastructure applications. They\nDatabase                     include DB2, 32\n                             Server,        , and           . Additionally, the OIG included\n                             the                         monitoring tool in this area.\n                             This area is composed of the individual security software\n                             applications that provide centralized user authentication and\n                             access to operating systems and standardized job scheduling\nInfrastructure               tools. These include\n                                     , 35                                  and            . In\n                             addition, the area includes the     application used to transmit\n                             data between the Postal Service and its trading partners.\n                             This area encompasses several functions with broad impact in\n                             supporting Postal Service IT functionality. They include backup\nOperations\n                             and data restore processes, physical security at IT/ASCs and\n                             the ITSC,                                and job scheduling.\n                             This area consists of controls designed for individual systems.\nApplication                                                                           37\n                             These applications include\nUnique\n                                       , and         .\n                             This area contains several security monitoring functions, such\nCompany-wide                 as those provided by the\n                                     This includes the\n\n31\n   The developing company for a version of the open source UNIX operating system.\n32\n   DB2 (originally known as Database 2) is IBM\xe2\x80\x99s relational database management system and a formal subsystem of\nthe z/OS mainframe operating system.\n33\n   Formally known as                                                         this software product provides continuous\ndatabase monitoring to detect or prevent unauthorized or suspicious activity. Management uses                      to monitor\nactivity from multiple types of databases that support SOX in-scope systems.\n34\n                                  implemented for                     networks, which functions as a                        for\nauthentication and authorization of users and computers, assigning and enforcing security policies for all computers\nand installing or updating software.\n35\n   IBM implemented            as the mainframe software security product.             provides this security by identifying\nand verifying users, authorizing users to access protected resources and recording and reporting access attempts.\n36\n   The software used to monitor and maintain access to the             environment.\n37\n                 consists of an integrated suite of applications designed to better manage customer relationships,\nservices, financial information, human capital, and projects in a global business environment. Centralized installation\nof          software at the application level eliminates the need to install and maintain application software on each\ndesktop client computer.\n\n\n                                                              8\n\x0c Fiscal Year 2013 Information Technology                                                                IT-AR-14-003\n  Internal Controls\n\n\n IT Process Area            Description\n                                   efforts to monitor and assess security systems and\n                            network resources 38 and provide comprehensive responses to\n                            computer security incidents; the\n                                            approving the connection of systems or\n                            networks to the network infrastructure; and the\n                            telecommunications team\xe2\x80\x99s support of wide- and local-area\n                            networks, wireless technologies, telephones, virtual private\n                            networks, and the Postal Service\xe2\x80\x99s intranet.\nSource: Postal Service IT SOX Master Control Index Report.\n\n Objective, Scope, and Methodology\n\n Our objective was to evaluate and test infrastructure-level internal controls over\n information systems at Postal Service IT/ASCs and related IT organizations. In\n agreement with the IPA firm and Postal Service management, we limited the scope of\n our review in FY 2013 to key controls. 39 After our initial reviews and before final testing\n was completed, management adjusted the status of several controls. Management\n removed controls associated with the Integrated Database Management System from\n the audit scope when the potential financial impact of the supported applications was\n reduced to an insignificant level for SOX compliance. We concurred with these changes\n to infrastructure-level controls and adjusted our work accordingly.\n\n To meet our objective, we interviewed administrators, observed master control\n processes and procedures, and reviewed applicable Postal Service policies. We\n judgmentally and randomly selected samples of SOX in-scope applications, servers,\n and SOX-related notifications for detailed control testing and analysis. We reviewed\n                        40\n 97 of                     IT master controls designed to mitigate risks associated with\n    IT infrastructure components. We tested master controls, including those associated\n with configuration baselines, separation of duties, password parameter configurations,\n security log monitor configurations, security monitoring, data restoration, and testing\n documentation. We also monitored corrective action taken on issues open from prior\n year reviews and performed assessments as appropriate.\n\n Table 3 shows the number of master controls for each infrastructure component to\n support in-scope financial and infrastructure applications.\n\n\n\n\n 38\n    Information Systems Security (ISS) specialists perform much of this work.\n 39\n    The primary controls that management has identified to fully mitigate SOX risks.\n 40\n    By agreement with the IPA firm, the OIG was responsible for 97 of      key IT master controls for FY 2013\n reporting.\n\n\n                                                           9\n\x0cFiscal Year 2013 Information Technology                                          IT-AR-14-003\n Internal Controls\n\n\n              Table 3: Infrastructure Components Tested by IT Process Area\n\nIT Process Area                      Infrastructure Components              Subtotal by\n                                    (Number of Master Controls)             Area\nOperating\nSystem\nDatabase\n\n\nInfrastructure\n\nOperations\n\n\nApplication\nUnique\nCompany-wide\n\n\nTotal                                                                            97\nSource: OIG analysis.\n\nWe performed all system queries in a controlled environment with management\xe2\x80\x99s full\nknowledge and approval. We conducted our audit at the\n                                   .\n\nDuring the audit, we regularly met with the IPA firm and Postal Service representatives\nto discuss gaps in controls, initial test results, and control deficiencies. The OIG and IPA\nfirm provided management with specific recommendations for corrective action on each\nreported issue on weekly IT issues logs. The IPA firm identified other deficiencies\naffecting the Postal Service\xe2\x80\x99s IT environment that were not in the scope of our audit.\nFollowing an internal review, management recorded IT issues on the GET to track\nprogress toward completion of corrective actions.\n\nWe conducted this performance audit from October 2012 through March 2014 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We discussed our observations\nand conclusions with management on February 11, 2014, and included its comments\nwhere appropriate.\n\nWe assessed the reliability of computer-generated data by reviewing configuration files\nobtained from the audited systems and interviewing appropriate managers who were\nknowledgeable about the data. We also reviewed existing information about the data\n\n\n\n                                                10\n\x0cFiscal Year 2013 Information Technology                                        IT-AR-14-003\n Internal Controls\n\n\nand the operating systems/platforms that produced them. We determined the data were\nsufficiently reliable for the purposes of this report.\n\nPrior Audit Coverage\n\n\n                                                        Final          Monetary\n                                                       Report           Impact\n          Report Title             Report Number         Date\nFiscal Year 2012 Information         IT-AR-13-003     1/28/2013           None\nTechnology Internal Controls\nReport Results:\nMany of the infrastructure-level internal controls we tested were properly designed\nand generally operating effectively. However, we identified opportunities to\nstrengthen certain internal controls over security monitoring of\noperating system and database activity, as well as secondary reviews of actions\ntaken in response to database monitoring. In addition to the issues identified in\nFY 2012, we reported on management\xe2\x80\x99s corrective actions taken on open issues\nidentified during FY 2012 and reported in FYs 2010 and 2011. Management agreed\nwith the recommendations, resolved 12 issues associated with five of the\nrecommendations, and was working to complete corrective actions on five issues\nassociated with four of the recommendations.\n\nFiscal Year 2011 Information          IT-AR-12-003      1/9/2012           None\nTechnology Internal Controls\nReport Results:\nThe infrastructure-level internal controls we tested were properly designed and\ngenerally operating effectively. However, we identified opportunities for\nmanagement to strengthen certain internal controls over operating systems,\ndatabases,         job scheduling, and data back-up and restoration operations. In\naddition to the issues identified in FY 2011, we reported on the status of unresolved\nissues from the FY 2010 review. Management agreed with the recommendations.\nManagement resolved one issue and was working to complete corrective action on\nthe issues consolidated in the remaining recommendation.\n\n\n\n\n                                           11\n\x0cFiscal Year 2013 Information Technology                                        IT-AR-14-003\n Internal Controls\n\n\n\n\n                                                        Final          Monetary\n                                                       Report           Impact\n          Report Title               Report Number       Date\nTesting of Certain Fiscal Year        FT-AR-11-007    2/16/2011           None\n2010 Sarbanes-Oxley\nInformation Technology Key\nInfrastructure Controls\nReport Results:\nOverall, general computer controls were in place and working effectively. However,\nwe identified issues with investigating and resolving computer security incidents in a\ntimely manner; installing and operating an intrusion detection agent in the\nproduction                                environments; reducing the use of\nnon-standard job scheduling software in the production environment; enhancing the\nquality of information in daily job logs by documenting the cause and resolution of\njob failures; and performing thorough semiannual reviews of access to mainframe\njob scheduling software. This report contained no recommendations as\nmanagement agreed with our findings and planned corrective actions.\n\n\n\n\n                                            12\n\x0cFiscal Year 2013 Information Technology                                               IT-AR-14-003\n Internal Controls\n\n\n            Appendix B: Open Fiscal Year 2013 Information Technology Issues\n\n                         Condition of the                                       Report and\n                               Control                                         Associated\n                                  per                                       Recommendation\n                         OIG Assessment                    Master Control        Number\n       1.              Administrators did not always           .Job_        IT-AR-14-DRAFT,\n            follow formal version control policy 41 for   Mntr              Recommendation\n            modifying the VBScript used to monitor                          1\n            critical          CA Workload\n            Automation AE scheduled jobs.\n            Instead, administrators achieved\n            versioning by saving the name of the\n            script prior to major changes. A\n            versioning system must be in place to\n            ensure proper version control is\n            maintained. A fully accountable check-\n            in/check-out process must be\n            operational.\n       2.              A job scheduling procedure                .Job_      IT-AR-14-DRAFT,\n            that documents critical jobs does not         Mntr              Recommendation\n            exist as required. This occurred                                2\n            because previous management had not\n            developed a job scheduling procedure\n            and current management was not\n            aware of the requirement.\n       3.                 The password expiration              . Review_    IT-AR-14-DRAFT,\n            setting for the administrator account         Job_Schd;         Recommendation\n            was set to 90, rather than 30, days.                  .PW_      3\n            Management changed the expiration             Parm_Config\n            setting back to 30 days after we\n            brought it to management\xe2\x80\x99s attention.\n            However, future occurrences may not\n            be detected because the IT master\n            control (             PW_Parm_Config)\n            states that reviewers obtain evidence of\n            password settings from the\n            administrators. These administrators\n            could alter the password settings before\n            or after providing the evidence to the\n            reviewers. Internal reviewers could use\n            the             tool to directly review the\n            current password settings.\n     Source: OIG analysis.\n\n\n\n\n41\n     Handbook AS-805, Section                                                                 .\n\n\n                                                     13\n\x0cFiscal Year 2013 Information Technology                                                                         IT-AR-14-003\n Internal Controls\n\n\n     Appendix C: Closed Information Technology Issues Reported in Prior Years\n\n                                                                                        Master Control\n                                                                                      (GET Identification\n                              Description of Issue                                        Number)\n                                       Issue identified in FY 2010\n     1.     Management implemented a reconciliation                                     _Compliance_Chk\n            process between the                                                 (2010-774)\n                                and the\n                              report on a quarterly basis\n            for all       servers.\n                                          Issues identified in FY 2011\n     2.     The                                  remediated                          .Review_Job_Schd\n            the job scheduling review process and updated                       (2011-341/342)\n            the                      . The files provided now\n            show the individual permissions and role\n            assignments in the Privileges and Active tabs.\n     3.     Management performed a coordinated team                                  .PW_Parm_Config\n            effort to reconcile          accounts against                       (2011-433)\n            accounts registered in eAccess. Subsequent IT\n            CMO testing verified that all accounts met Postal\n            Service password policy.\n                                          Issues identified in FY 2012\n     4.     Management implemented a process                                        .Review_Sec_Log\n            improvement to periodically review access to the                    (None \xe2\x80\x93 process\n                    .                                                           improvement)\n     5.     Management established           account                               .Sec_Log_Mntr_Config\n            registration within eAccess so that all accounts                    (2012-121)\n            will go through a formal request, review, and\n            approval process.\n     6.     Management added seven key security events to                          Sec_Log_Mntr_Config\n            log for                                                             (2012-086)\n     7.     Management registered the 13 service accounts                          IT_SOD\n            in eAccess and removed the terminated account                       (2012-124)\n            so that accounts in the       and\n            domains would go through a formal request,\n            review, and approval process.\n\n\n42\n   The                                                   is a central repository for all server assets in host computing. It is\ndriven by a combination of configuration discovery and data put in by the customer.\n43\n                                          offers protection for desktops and servers against malicious behaviors,\nblended threats, and known and unknown attacks.\n44\n   Also known as \xe2\x80\x9cLinux on System z,\xe2\x80\x9d Linux always runs in a virtual environment on IBM System z mainframes.\nVirtualization is handled either via logical partitions or by running under the z/VM hypervisor (virtual machine\noperating system for creating and running virtual machines).\n\n\n                                                              14\n\x0cFiscal Year 2013 Information Technology                                                 IT-AR-14-003\n Internal Controls\n\n\n                                                                       Master Control\n                                                                     (GET Identification\n                         Description of Issue                            Number)\n    8.    Management revised the           Configuration             .Config_Baseline\n          Baseline document to address the current UDS           (2012-096)\n          environment. The OIG reviewed the script used\n          to test compliance with the configuration and\n          confirmed that it includes all necessary elements.\n    9.    Management set                                            .Sec_Log_Mntr_Config\n                            purge parameters properly so         (2012-080)\n          that \xe2\x80\x9cDeleted\xe2\x80\x9d security incident records remained\n          in the system for administrator review.\n    10.   Management updated the control document to                IT_SOD\n          include the      and             domains               (2012-123)\n          during testing.\n    11.   Management removed the                                    .Sec_Log_Mntr_Config\n                                                                 (2012-098)\n          Additionally, management added a local\n          administrator account with restricted access.\n          Domain administrators had access to the\n                                     that supports the\n          monitoring tool. This provided administrators the\n          ability to access security logging records that\n          should not be edited or deleted.\n    12.   Management corrected the alert process so that              .Sec_Log_Mntr_Config\n          all selected      server activity (administrative-     (2012-095)\n          level commands) is reported to       .\n    13.   Management revised and implemented                         .Review_Sec_Log\n                                                                 (2012-122)\n                           procedures and recently created\n          an additional compensating control (independent\n          review of the control) to ensure the control is\n          working as intended.\n    14.   Management uploaded updated procedure and                 .CSP_Compliance_Chk\n          control documents to the artifacts library that (1)    (2012-081)\n          instruct the        to reconcile the        and the\n                                               and report on a\n          quarterly basis and (2) ensure that noncompliant\n          production systems are reported as\n          incidents and resolved timely. The original\n          contained discrepancies and management did\n          not retain a copy according to procedures written\n          for this control.\n\n\n\n\n                                                  15\n\x0cFiscal Year 2013 Information Technology                                             IT-AR-14-003\n Internal Controls\n\n\n                                                                    Master Control\n                                                                  (GET Identification\n                          Description of Issue                        Number)\n    15.   Management replaced the                script with      .CSP_Compliance_Chk\n          new                  scanning software and           (2012-104)\n          instituted a reconciliation process for the\n          and the        report on a quarterly basis for all\n          servers with                installed.\n   Source: OIG analysis.\n\n\n\n\n                                                  16\n\x0cFiscal Year 2013 Information Technology                                              IT-AR-14-003\n Internal Controls\n\n\n              Appendix D: Status of Open Information Technology Issues\n                               Reported in Prior Years\n\n                                                     Master\n                       Condition of                  Control                         Report and\n                           Control                    (GET           Target         Associated\n                          per Prior               Identification   Completion    Recommendation\n                    OIG Assessment                  Number)           Date            Number\n    1.    Twenty-five of 45 SOX in-scope               .Sec_Log    FY 2014,      IT-AR-13-003,\n          production                    (on      _Mntr_Config      Quarter (Q)   Recommendation\n          mainframe hardware) were not           (2012-094)        2             3\n          reporting intrusion-detection\n          events to the          and were not\n          detected by current monitoring\n          efforts. Initial problems enabling\n          the necessary intrusion-detection\n          services were attributed to a\n          configuration management tool\n          used for          that was not\n          properly customized for           .\n          However, these 25 servers were\n          identified after the expected fix\n          was installed.\n    2.    Management did not include                   .Config_    FY 2014,      IT-AR-13-003,\n          113 SOX in-scope servers in its        Baseline          Q2            Recommendation\n          review of                   r          (2012-099)                      6\n          configurations.\n    3.    Management does not follow the               .Config_    FY 2014,      IT-AR-13-003,\n          required process for documenting       Baseline          Q2            Recommendation\n          baseline discrepancies and             (2012-100)                      6\n          remediation plans for\n                    Specifically, management\n          did not get approval for the\n          remediation plans or correctly\n          identify corrective actions for each\n          discrepancy found and track each\n          discrepancy to completion.\n\n\n\n\n                                                 17\n\x0cFiscal Year 2013 Information Technology                                            IT-AR-14-003\n Internal Controls\n\n\n\n                                                      Master\n                       Condition of                   Control                      Report and\n                          Control                      (GET         Target        Associated\n                         per Prior                 Identification Completion   Recommendation\n                   OIG Assessment                    Number)         Date           Number\n    4.    The current process for                       .Config_B FY 2014,     IT-AR-13-003,\n          configuration baseline compliance       aseline         Q2           Recommendation\n          effectively demonstrates perpetual      (2012-097)                   8\n          failure of this SOX control. The\n          control is defined such that SOX\n          production servers should have\n          \xe2\x80\x9cconfiguration baselines [that]\n          meet or exceed the configuration\n          baselines established by\n          management.\xe2\x80\x9d The decision to\n          equate the         configuration\n          baseline with hardening standards\n          is problematic because the three\n          hardening standards for           are\n          inconsistent and may include\n          unnecessary elements or exclude\n          necessary elements for a\n          configuration baseline that\n          supports reliable and timely\n          financial reporting. In addition,\n          elements of the hardening\n          standards duplicate other SOX\n          controls for the        environment.\n    5.    Existing         patch testing               .Testing_   FY 2014,    IT-AR-13-003,\n          procedures are out of alignment         Doc              Q2          Recommendation\n          with current Midrange group             (2012-131)                   9\n          practices. Both the procedures\n          and current practices require\n          adjustment to improve the patch\n          history of individual servers and\n          provide assurances the control\n          environment is operating\n          effectively.\n\n\n\n\n                                                  18\n\x0cFiscal Year 2013 Information Technology                                              IT-AR-14-003\n Internal Controls\n\n\n\n                                                       Master\n                      Condition of                    Control                        Report and\n                          Control                       (GET          Target        Associated\n                         per Prior                 Identification   Completion   Recommendation\n                    OIG Assessment                    Number)          Date           Number\n    6.    In FY 2010, the OIG reported the            .CSP_Com      FY 2014,     IT-AR-12-003,\n          use of unreliable inventories of        pliance_Chk       Q2           Recommendation\n          servers to determine which              (2010-827)                     1\n          servers should be monitored to\n          confirm that intrusion-detection\n          software is running and reporting\n          questionable activity.\n    7.    In FY 2011, the OIG also noted              .Sec_Log      FY 2014,     IT-AR-12-003,\n          concerns with the method used to        _Mntr_Config      Q2           Recommendation\n          determine the universe of               (2011-316)                     1\n          databases to be monitored.\n          Throughout FY 2012,\n          management implemented a\n          remediation effort that clarified the\n          need for an automated discovery\n          tool to identify a complete list of\n          servers in their environment, as\n          well as automated processes to\n          sustain the configuration data\n          within         .\n    8.    Management did not create tickets           .Job_Mntr     FY 2014,     IT-AR-12-003,\n          to monitor and track unresolved         (2011-370)        Q2           Recommendation\n          issues in the        area in a timely                                  1\n          manner. Our initial testing and\n          follow-up testing on three\n          occasions in FYs 2011 and 2012\n          disclosed cases where the tickets\n          were not created in the required\n          time. Management plans to revisit\n          corrective actions taken and work\n          with the control owner to identify\n          additional procedures to mitigate\n          the risk of not creating tickets in\n          the prescribed timeframe.\n\n\n\n\n                                                  19\n\x0cFiscal Year 2013 Information Technology                                             IT-AR-14-003\n Internal Controls\n\n\n\n                                                     Master\n                      Condition of                   Control                        Report and\n                         Control                      (GET           Target        Associated\n                        per Prior                 Identification   Completion   Recommendation\n                    OIG Assessment                  Number)           Date           Number\n    9.    Management draws its sample of               .Job_Sc     FY 2014,     IT-AR-12-003,\n          job changes from within the            hd_Chgs_via_      Q2           Recommendation\n          change management system to            CR                             1\n          determine whether all changes          (2011-398)\n          have gone through the required\n          process. By employing this source\n          for sampling, management does\n          not have the opportunity to identify\n          changes made to production jobs\n          that may have circumvented the\n          change management system.\n          Management is evaluating the\n          current capabilities of the standard\n          job scheduling tools to generate a\n          population of changes and a\n          proposed approach because\n          system limitations prevent an\n          extract from the job scheduler\n          itself.\n    10.   Critical patches were not installed          .Patch_     FY 2014,     IT-AR-12-003,\n          for at least 6 months on               Mgmt              Q2           Recommendation\n                       supporting seven          (2011-413)                     1\n          in-scope applications.\n          Management has drafted an\n                   patch policy that\n          incorporates the use of an\n          enterprise project tracking system\n          to monitor patches from vendor\n          release to implementation in\n          production. However,\n          management has not determined\n          how to define timeliness for the\n          numerous circumstances that\n          applications requiring\n          patches encounter.\n\n\n\n\n                                                 20\n\x0cFiscal Year 2013 Information Technology                                            IT-AR-14-003\n Internal Controls\n\n\n\n                                                    Master\n                      Condition of                  Control                        Report and\n                        Control                      (GET           Target        Associated\n                       per Prior                 Identification   Completion   Recommendation\n                    OIG Assessment                 Number)           Date           Number\n    11.   Management did not change the               .PW_Par     FY 2014,     IT-AR-12-003,\n          password for local administrators\'    m_Config          Q2           Recommendation\n                  accounts on seven             (2011-440)                     1\n          sampled                      and\n          had other application and user\n          accounts in the local account\n          environment on 22 sampled\n          servers. Despite remediation of\n          previously found accounts,\n          subsequent testing by\n          management or the OIG disclosed\n          additional accounts that were not\n          properly configured. Management\n          is reviewing the registration\n          process in the account\n          provisioning software and devising\n          a plan to address the systemic\n          problem.\n    12.   We identified issues associated            .Patch_      FY 2014,     IT-AR-12-003,\n          with the            patching          Mgmt              Q2           Recommendation\n          process, including the absence of     (2011-442)                     1\n          documentation provided in patch\n          evaluation assessment,\n          inadequate process and artifacts\n          to ensure that all servers are\n          patched, and absence of test\n          plans and results of testing within\n          the patch management process\n          artifacts. Management is working\n          with the associated parties to\n          revise           patching\n          procedures.\n   Source: OIG analysis.\n\n\n\n\n                                                21\n\x0cFiscal Year 2013 Information Technology                                                                   IT-AR-14-003\n Internal Controls\n\n\n\n                                 Appendix E: Trademark Information\n\nThe following are the trademarks (\xe2\x84\xa2) or registered trademarks (\xc2\xae) of their respective\nowners in the U.S. 47:\n\n\n\nCA Software: Workload Automation AE\xe2\x84\xa2\n\nIBM Corporation: IBM\xc2\xae, DB2\xc2\xae,\n\nHewlett-Packard Development Company, L.P.:\n\nMicrosoft Corporation:                                     Microsoft\xc2\xae,\n\n\nOracle Corporation: Oracle\xe2\x84\xa2,                                      , and Oracle\xc2\xae\n\n\nSymantec Corporation: Symantec\xe2\x84\xa2                                                        ; Symantec\xe2\x84\xa2\n\n\n\n\nThe Open Group:\n\n\n\n\n47\n   A trademark (\xe2\x84\xa2) is the name or symbol used to identify goods purchased by a particular manufacturer or\ndistributed by a particular dealer and to distinguish them from products associated with competing manufacturers or\ndealers. A trademark that has been officially registered and is, therefore, legally protected is known as a Registered\nTrademark (\xc2\xae).\n\n\n                                                          22\n\x0cFiscal Year 2013 Information Technology                        IT-AR-14-003\n Internal Controls\n\n\n                           Appendix F: Management\xe2\x80\x99s Comments\n\n\n\n\n                                          23\n\x0cFiscal Year 2013 Information Technology        IT-AR-14-003\n Internal Controls\n\n\n\n\n                                          24\n\x0c'